MEDIUM
catchplugins
CVE published 2026-07-16
CVE-2026-15336
The Catch Themes Demo Import plugin for WordPress has a missing authorization vulnerability in versions up to and including 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate [truncated]